updated INSTALL docu and apache templates

2013-03-29 19:47:59 +01:00 · 2013-03-29 19:47:59 +01:00 · 24523ea621
parent 9e9bdcbfa4
commit 24523ea621
5 changed files with 155 additions and 98 deletions
--- a/INSTALL/INSTALL.txt
+++ b/INSTALL/INSTALL.txt
@ -22,60 +22,141 @@ Security


 INSTALLATION INSTRUCTIONS
+------------------------- for ubuntu 12.04-server
+
+1/ Minimal ubuntu install
 -------------------------
-Install the following libraries:
-apt-get install zip
-apt-get install php-pear
-pear install Crypt_GPG    # need version >1.3.0 
+Install a minimal ubuntu 12.04-server system with the software:
+- OpenSSH server
+- LAMP server
+- Mail server
+
+You will get some questions, you will probably want to set:
+- Postfix Configuration: Satellite system
+
+Make sure your system is up2date:
+apt-get update
+apt-get upgrade
+
+
+2/ Dependencies
+----------------
+Once the system is installed you can perform the following steps as root:
+
+# Because vim is just so practical
+apt-get install vim
+
+# Install the dependencies:
+apt-get install zip php-pear git
+pear install Crypt_GPG    # we need version >1.3.0 
 pear install Net_GeoIP
-# ideally make sure geoip database is updated using crontab
-#wget 'http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz'
-#gunzip GeoIP.dat.gz


+3/ CakePHP
+-----------
 # Download CakePHP from github
 cd /opt/
-git pull https://github.com/cakephp/cakephp.git
-chmod -R 755 /opt/cakephp
+git clone https://github.com/cakephp/cakephp.git

+# You should REALLY make sure that you install security updates of CakePHP when your system is in production !

-# Download CyDefSIG using git in the /var/www/ directory. 
+# If you plan to run multiple MISP instances on a single server, only one installation of CakePHP is needed !
+
+4/ MISP code
+------------
+# Download MISP using git in the /var/www/ directory. 
 cd /var/www/
 git clone https://github.com/BeDefCERT/MISP.git 

+# Make git ignore filesystem permission differences
+cd /var/www/MISP
+git config core.filemode false
+

 # Check if the permissions are set correctly using the following commands as root:
-chown -R <user>:www-data /var/www/cydefsig
-chmod -R 750 /var/www/cydefsig
-chmod -R g+s /var/www/cydefsig
-cd /var/www/cydefsig/app/
-chmod -R g+w tmp
-chmod -R g+w files
+chown -R www-data:www-data /var/www/MISP
+chmod -R 750 /var/www/MISP
+cd /var/www/MISP/app/
+chmod -R g+ws tmp
+chmod -R g+ws files
+cd /var/www/MISP

-# Import the empty MySQL database from /var/www/cydefsig/app/MYSQL.sql using phpmyadmin or mysql>.
+##
+## FIXME this is not really clean
+## 
+# Currently you will need to copy the plugins to the CakePHP directory.
+cp -r /var/www/MISP/plugins/* /opt/cakephp/plugins/
+chmod -R o+rx /opt/cakephp/plugins

-# Now configure your apache server with the DocumentRoot /var/www/cydefsig/app/webroot/
+5/ Create a database and user
+-----------------------------
+# Enter the mysql shell
+mysql -u root -p
+
+mysql> create database misp;
+mysql> grant usage on *.* to misp@localhost identified by 'XXXXXXXXX';
+mysql> grant all privileges on misp.* to misp@localhost ;
+mysql> exit
+
+# Import the empty MySQL database from MYSQL.sql 
+mysql -u misp -p misp < INSTALL/MYSQL.sql


-# Configure the fields in the files:
+6/ Apache configuration
+-----------------------
+# Now configure your apache server with the DocumentRoot /var/www/MISP/app/webroot/
+# A sample ghost can be found in /var/www/MISP/INSTALL/apache.misp
+
+cp /var/www/MISP/INSTALL/apache.misp /etc/apache2/sites-available/misp
+a2dissite default
+a2ensite misp
+
+# Enable modules
+a2enmod rewrite
+
+# Restart apache
+service apache2 reload
+
+# We seriously recommend using only SSL ! 
+# Check out the apache.misp.ssl file for an example
+
+
+7/ MISP configuration
+---------------------
+# Configure the fields in the files located in /var/www/MISP/app/Config/:
 database.php : login, port, password, database
 bootstrap.php: CyDefSIG.*, GnuPG.*
-core.php : debug, 
-webroot/index.php : CAKE_CORE_INCLUDE_PATH   (optional for multi-cydefsig installations)
+core.php : debug, Security.*
+
+# and make sure the file permissions are still OK
+chown -R www-data:www-data /var/www/MISP/app/Config
+chmod -R 750 /var/www/MISP/app/Config
+
+
+# Let MISP know where the CakePHP libraries are located by editing the file app/webroot/index.php and setting (on line 59):
+	define('CAKE_CORE_INCLUDE_PATH', '/opt/cakephp/lib');
+

 # Generate a GPG encryption key.
-mkdir /var/www/cydefsig/.gnupg
-chown www-data:www-data /var/www/cydefsig/.gnupg
-chmod 700 /var/www/cydefsig/.gnupg
-sudo -u www-data gpg --homedir /var/www/cydefsig/.gnupg --gen-key
+mkdir /var/www/MISP/.gnupg
+chown www-data:www-data /var/www/MISP/.gnupg
+chmod 700 /var/www/MISP/.gnupg
+sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
+# Recommended key type: RSA (sign only)
+# The email address should match the one set int he bootstrap.php configuration file

 # And export the public key to the webroot
-sudo -u www-data gpg --homedir .gnupg --export --armor no-reply > app/webroot/gpg.asc
+sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-EMAIL > /var/www/MISP/app/webroot/gpg.asc
+
+

 # Create the Role Based Access Control (RBAC) tables and content:
-cd /var/www/cydefsig/app
-./Console/cake acl create aco root controllers
-./Console/cake AclExtras.AclExtras aco_sync
+cd /var/www/MISP/app
+export PATH="$PATH:/opt/cakephp/lib/Cake/Console"
+cake acl create aco root controllers
+cake AclExtras.AclExtras aco_sync    
+# You might get an 'Warning Error: Argument…'
+# however if it ends with 'Aco Update Complete' it should be OK


 Now log in using the webinterface:
@ -105,15 +186,14 @@ with <your org> being MIL.BE or NCIRC where appropriate.
 Import the regexp data in /var/www/cydefsig/app/MYSQL.regexp.sql using phpmyadmin or mysql>.


-Recommended patches
+Recommended actions
 -------------------
-By default CakePHP exposes his name and version in email headers. Apply a patch to remove this behavior.
+- By default CakePHP exposes his name and version in email headers. Apply a patch to remove this behavior.
+
+- You should really harden your OS
+- You should really harden the configuration of Apache
+- You should really harden the configuration of MySQL
+- Keep your software up2date (MISP, CakePHP and everything else)
+- Log and audit

-Multiple instances on a single server
-------------------------------------
-If you want to install multiple instances on a single server, extract the CakePHP sources 
-in a central location like /opt/cakephp.
- 
-Then edit /var/www/cydefsig/app/webroot/index.php and change :
-	define('CAKE_CORE_INCLUDE_PATH', '/opt/cakephp/lib');

--- a/INSTALL/INSTALL.ubuntu.txt
+++ b/INSTALL/INSTALL.ubuntu.txt
@ -1,34 +0,0 @@
-INSTALLATION INSTRUCTIONS
-------------------------
-If on Ubuntu, besides the DocumentRoot,
-you have to change the AllowOverride from None to All as well.
-
-	DocumentRoot /var/www/cydefsig/app/webroot/
-	<Directory />
-		Options FollowSymLinks
-		AllowOverride All
-	</Directory>
-	<Directory /var/www/>
-		Options Indexes FollowSymLinks MultiViews
-		AllowOverride All
-		Order allow,deny
-		allow from all
-	</Directory>
-
-Find the original below, for reference.
-
-	DocumentRoot /var/www
-
-	<Directory />
-		Options FollowSymLinks
-		AllowOverride None
-	</Directory>
-	<Directory /var/www/>
-		Options Indexes FollowSymLinks MultiViews
-		AllowOverride None
-		Order allow,deny
-		allow from all
-	</Directory>
-
-Now /etc/init.d/apache2 restart
-and you are done, and now able to use the application.
--- a/INSTALL/INSTALL.vhost.txt
+++ b/INSTALL/INSTALL.vhost.txt
@ -1,26 +0,0 @@
-VIRTUAL HOST INSTRUCTION
------------------------
-
-CyDefSIG is able to run in an Apache virtual host setup.
-This takes 2 variables, the hostname and CyDefSIG directory.
-To this one must enter the hostname in /etc/hosts
-and create an Apache config in apache2/sites-available.
-
-Say we have a hostname cydefsig2.local.net and
-CyDefSIG installed in /var/www/second_instance/cydefsig,
-we will add to /etc/hosts:
-
-127.0.1.1       cydefsig2.local.net
-
-And create a file /etc/apache2/sites-available/<second_instance_name>
-containing:
-
-<VirtualHost *:80>
-        ServerAdmin webmaster@example.com
-        ServerName  cydefsig2.local.net
-        ServerAlias mysite
-
-        # Indexes + Directory Root.
-        DirectoryIndex index.php
-        DocumentRoot /var/www/second_instance/cydefsig/app/webroot
-</VirtualHost>
--- a/INSTALL/apache.misp
+++ b/INSTALL/apache.misp
@ -0,0 +1,16 @@
+<VirtualHost *:80>
+        ServerAdmin me@me.local
+        ServerName misp.local
+        DocumentRoot /var/www/MISP/app/webroot
+        <Directory /var/www/MISP/app/webroot>
+                Options -Indexes FollowSymLinks
+                AllowOverride all
+                Order allow,deny
+                allow from all
+        </Directory>
+
+        LogLevel warn
+        ErrorLog /var/log/apache2/misp.local_error.log
+        CustomLog /var/log/apache2/misp.local_access.log combined
+        ServerSignature Off
+</VirtualHost>
--- a/INSTALL/apache.misp.ssl
+++ b/INSTALL/apache.misp.ssl
@ -0,0 +1,21 @@
+<VirtualHost 192.168.1.1:443>
+        ServerAdmin me@me.local
+        ServerName misp.local
+        DocumentRoot /var/www/MISP/app/webroot
+        <Directory /var/www/MISP/app/webroot>
+                Options -Indexes FollowSymLinks
+                AllowOverride all
+                Order allow,deny
+                allow from all
+        </Directory>
+
+        SSLEngine On
+        SSLCertificateFile /etc/ssl/private/misp.local.crt
+        SSLCertificateKeyFile /etc/ssl/private/misp.local.key
+        SSLCertificateChainFile /etc/ssl/private/misp-chain.crt
+
+        LogLevel warn
+        ErrorLog /var/log/apache2/misp.local_error.log
+        CustomLog /var/log/apache2/misp.local_access.log combined
+        ServerSignature Off
+</VirtualHost>